Reasons no to use TSIG?
David Botham
DBotham at OptimusSolutions.com
Wed Oct 6 15:43:00 UTC 2004
bind-users-bounce at isc.org wrote on 10/06/2004 06:59:09 AM:
> Hello everyone,
>
> I am exploring the possibilities TSIG offers; for the environment I work
> in TSIG seems fine, since it is easy to set up and offers a reasonable
degree
> of security from employees doing zone transfers or hammering my machines
> with recursive queries.
>
> And since I am about to use TSIG as widely as possible, I would like to
know
> if there are any reasons not to use TSIG.
>
> I can think of just one: TSIG cannot be used to verify zone-content the
way DNSSEC
> can. Also, regular queries don't get covered by this.
I do not consider the fact that TSIG can't verify zone content a check in
the minus column. There are a great number of things that TSIG does not
do by design. Verifying zone content is one of them. Others are (in no
particular order):
Making coffee
Tying my shoes
Negotiate SSL connections
etc...
:)
TSIG does a great job at what it is designed to do (imho).
However, if you are interested in interoperation in a Windows environment
for DDNS updates, you may want to look at this:
http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/cncf/cncf_imp_eqjg.asp
Specifically, skip to the seciton on "DNS Standards for Secure Dynamic
Update".
hth,
Dave...
>
> But otherwise?
> (In case it matters, we currently have a test setup where TSIG is used
for
> "allow-transfer {}" and "allow-notify {}".)
>
> Benjamin Walkenhorst
>
More information about the bind-users
mailing list